omueller
Forum Replies Created
-
Forum: Plugins
In reply to: [Geo Tag] Markers not showing<me too /> : plugin is still working great in post edition mode under wp 3.9.2 but I also can’t display the markers.
(PS: to get the correct map, you will first need to patch your plugin code according to http://wordpress.org/support/topic/i-like-it-but-there-is-a-show-stop-bug-in-096?replies=1#post- )
Hello & many thanks for this useful plugin!
Just a small feature request for the next update: it seems the cache is emptied as soon as somebody creates a new post (post_status = “auto-draft” in the wp_posts table).
Maybe you could ignore these specific posts until they are completely ready and published ? Otherwise the cache gets emptied pretty often, especially on a busy page with many redactors like on our system.
Kind regards,
OlivierPS: strangely, it seems all pages are then gone from the cache, even if the plugin only purges /category/(.*), /, /feed and the new post. But simply ignoring auto-draft posts should solve this anyway… 🙂
Forum: Themes and Templates
In reply to: Horizontal scrolling transition for WP-based pages ?This looks pretty cool Andrew, thanks for your feedback ! Also if your webpage does not seem to use wordpress. Or would you have something similar as wp-theme ?
I also saw some nice examples under http://www.designinsocial.com/ (but vertical) and some jQuery.ScrollTo-based stuff or similar.
Regards, O.
Forum: Themes and Templates
In reply to: Horizontal scrolling transition for WP-based pages ?No idea yet… Ok, then I will try to do something by myself, also if it will probably take a long time 🙂 Cheers, O.
No, I can’t be sure as I’m just the sysadmin there, no the webpage manager, but the spam-relay-issue is a problem for me, so that’s why I’m looking at that… But there was probably a problem before, because the blog was already relaying spams before the upgrade to 3.0.1 (it’s why it has been upgraded).
DB looks ok, just one admin user and a few standard users.
FTP log also ok, so it most probably came from the web. I will check the weblogs archive later.
index.php is the same as in the wordpress-3.0.1.zip distribution.
I guess there must be some files from old installations laying around… We’ll try an installation from scratch later this week or next week.
Checked and nothing. All these “old” injections were for much older versions of WordPress: 3.0.1 is installed here… 🙂
thanks for your feedback heincredibleDude! Yes, it’s similar to this 2008 bug, but not exactly the same. I checked the files for “_wp_debugger” and other things (_POST[‘file’]) but with no success.
index.php has been modified by the webdesigner, but doesn’t seem to contain any “bad” or injected code. But I also see many old files (from 2008) which should probably have been deleted or at least updated.
I also just found a directory called “…” (3 dots) in the wp-content directory with some “strange” things inside:
drwxrwxr-x 10 512 Aug 30 00:58 . drwxrwxrwx 10 512 Oct 26 14:13 .. drwxr-xr-x 4 512 Aug 30 00:58 addthis -rw-rw-r-- 1 677 Aug 27 12:03 adrotator.php drwxrwxr-x 5 512 Aug 24 2009 audioplayer -rw-r--r-- 1 2240 May 3 2010 hello.php -rw-r--r-- 1 30 Apr 15 2009 index.php drwxrwxr-x 4 512 Feb 6 2009 photopress -rw-rw-r-- 1 133120 Jun 10 2009 photopress.tar -rw-rw-r-- 1 39846 Jun 10 2009 photopress_1.5.2.zip drwxrwxrwt 4 512 Jul 26 2009 postie -rw-rw-r-- 1 1331253 Jun 10 2009 postie.1.2.3.zip -rw-rw-r-- 1 1474560 Jun 10 2009 postie.tar drwxrwxr-x 7 1024 Aug 24 2009 proplayer drwxr-xr-x 5 512 Aug 27 14:49 quick-cache -rw-rw-r-- 1 1823 Jun 10 2009 redirectify.php drwxrwxr-x 2 512 Jan 4 2010 videos-plugin -rw-rw-r-- 1 31091 Jun 10 2009 wp-db-backup.php -rw-rw-r-- 1 52709 Jun 10 2009 wp-super-cache.0.9.4.3.zip -rw-rw-r-- 1 7613 Jun 10 2009 wp-xmlmigrate.php drwxr-xr-x 2 512 Aug 30 00:36 youtube -rw-rw-r-- 1 1497 Jun 10 2009 youtube.1.phpbut there doesn’t seem to be any include “…/xyz” in the code. Maybe it was removed with the 3.0.1 upgrade, but there is definitely something to be done there.
I will ask the webmaster to do a clean installation and to remove any old file first.
To be continued!
regards, O.Strange, would I be the only one with this spam-problem?
And here the “disabled” hack code (just to give an idea, otherwise there is no way to answer the issue anymore…). Hack-code has been removed.
The question is why WordPress simply runs this code coming form a POST request with “file=xyz” as parameter ? Does it happen by default, or is it a bad configuration from the blog owner?
1) “raw” POST request:
Request: domain.ext 95.168.210.229 - - [16/Nov/2010:13:18:16 +0100] "POST / HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" jSLZPj4wA4wA ANRuqbIAAAAA "-" ---------------------------------------- POST / HTTP/1.1 Host: domain.ext Cookie: 545a398915a49f25=46b6f4af9be2faec;_wp_debugger=b5a7308802027b504c188deac3fa5c40; User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Content-Length: 8389 Content-Type: application/x-www-form-urlencoded Expect: 100-continue 8389 file=QGV2YWwoZGVjcnlwdCgi... [censored] [censored] [censored] ...CiAgICB9DQogICAgcmV0dXJuICRyZXM7DQp9 HTTP/1.1 200 OK Expires: Tue, 09 Nov 2010 12:18:16 GMT Last-Modified: Tue, 16 Nov 2010 12:18:16 GMT2) Decoded request:
@eval(decrypt("...[censored]...") [...]3) Final spam code:
unset($_POST['file']); $stage="second"; [...] $domain = substr($from, strpos($from, "@"), strlen($from)); $header = "From: ".$realname." <".$from.">\r\n"; $header .= "Message-Id: <130746".mt_rand(1000,2000).".".mt_rand(0,2000).$domain.">\r\n"; $header .= "MIME-Version: 1.0\r\n"; $header .= "Content-Type: text/html\r\n"; $header .= "Content-Transfer-Encoding: 8bit\r\n\r\n"; $header .= nl2br($message)."\r\n"; if(mail($to,$subject,"",$header)) echo "mail_good"; [...]PS: just checked the logs, and it always seem to come from this host: unn-95-168-210-229.superhosting.cz (95.168.210.229), with a spam about every 5 minutes. Since it is blocked (with the .htaccess), it tries other urls…
unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:07:14 +0100] "POST / HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:18:15 +0100] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:18:15 +0100] "POST / HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST / HTTP/1.1" 403 202 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST /?s=google HTTP/1.1" 403 202 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST /wp-atom.php HTTP/1.1" 403 213 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST /wp-login.php HTTP/1.1" 403 214 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:10 +0100] "POST /wp-login.php HTTP/1.1" 403 214 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:33 +0100] "POST / HTTP/1.1" 403 202 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" [...]